Add NACM rules
NACM completely bypasses sysrepo permissions, so some rules need to be
set up. Now that the default shell for non-root users is netconf-cli, we
can completely forget about the sysrepo permissions, and only focus on
NACM. The default configuration for everyone is to allow reading and
disallow writing of everything. This patch changes this to allow root to
do anything and also allow the dwdm user to manipulate a subset of
installed modules.
Change-Id: Ifbb18957ba8a692b4a34ba37dba666b60819a2e6
diff --git a/doc/architecture.md b/doc/architecture.md
index 1ffd550..1d964ff 100644
--- a/doc/architecture.md
+++ b/doc/architecture.md
@@ -32,7 +32,8 @@
- the YANG modules for `netopeer2-server` are added via `netopeer2-install-yang.service` (via our Buildroot patches),
- CzechLight-specific YANG modules and their initial data are added via [`czechlight-install-yang.service`](../package/cla-sysrepo/czechlight-install-yang.service),
- system configuration is restored from the persistent location in `/cfg` via [`cfg-restore-sysrepo.service`](../package/czechlight-cfg-fs/cfg-restore-sysrepo.service),
-- configuration of the Netopeer server gets re-checked via 'netopeer2-setup.service` (once again in our Buildroot patches); this is needed especially during the first boot with no previous configuration to restore,
+- configuration of the Netopeer server gets re-checked via `netopeer2-setup.service` (once again in our Buildroot patches); this is needed especially during the first boot with no previous configuration to restore,
+- configuration of NACM is applied via [`nacm-restore.service`](../package/czechlight-cfg-fs/nacm-restore.service),
- finally, any daemons that use sysrepo are started.
We are also [using a `tmpfs` mount at `/run/sysrepo`](../package/reset-sysrepo/run-sysrepo.mount) that [gets wiped out whenever a sysrepo service fails](../package/reset-sysrepo/reset-sysrepo.mk).
diff --git a/package/cla-sysrepo/cla-appliance.service.in b/package/cla-sysrepo/cla-appliance.service.in
index 2cf20b0..8263bc8 100644
--- a/package/cla-sysrepo/cla-appliance.service.in
+++ b/package/cla-sysrepo/cla-appliance.service.in
@@ -1,9 +1,9 @@
[Unit]
Description=CzechLight __MODEL__ driver
-After=syslog.target network.target czechlight-install-yang.service cfg-restore-sysrepo.service
+After=syslog.target network.target czechlight-install-yang.service cfg-restore-sysrepo.service nacm-restore.service
Before=rauc-mark-good.service velia-hardware-g1.service velia-hardware-g2.service
PartOf=netopeer2.service
-Requires=czechlight-install-yang.service cfg-restore-sysrepo.service
+Requires=czechlight-install-yang.service cfg-restore-sysrepo.service nacm-restore.service
StartLimitIntervalSec=0
ConditionKernelCommandLine=|czechlight=__MODEL__
ConditionKernelCommandLine=|czechlight=__MODEL__-g2
diff --git a/package/czechlight-cfg-fs/czechlight-cfg-fs.mk b/package/czechlight-cfg-fs/czechlight-cfg-fs.mk
index aebc14b..cabfabe 100644
--- a/package/czechlight-cfg-fs/czechlight-cfg-fs.mk
+++ b/package/czechlight-cfg-fs/czechlight-cfg-fs.mk
@@ -22,6 +22,12 @@
$(TARGET_DIR)/sbin/init-czechlight.sh
$(INSTALL) -D -m 0755 $(@D)/czechlight-random-seed $(TARGET_DIR)/sbin/czechlight-random-seed
mkdir -p $(TARGET_DIR)/cfg
+ $(INSTALL) -D -m 0644 \
+ --target-directory $(TARGET_DIR)/usr/lib/systemd/system/ \
+ $(BR2_EXTERNAL_CZECHLIGHT_PATH)/package/czechlight-cfg-fs/nacm-restore.service
+ $(INSTALL) -D -m 0644 \
+ --target-directory $(TARGET_DIR)/usr/share/yang-data/ \
+ $(BR2_EXTERNAL_CZECHLIGHT_PATH)/package/czechlight-cfg-fs/nacm.json
$(ifeq ($(CZECHLIGHT_CFG_FS_PERSIST_SYSREPO),y))
mkdir -p $(TARGET_DIR)/usr/lib/systemd/system/multi-user.target.wants/
$(INSTALL) -D -m 0644 \
diff --git a/package/czechlight-cfg-fs/nacm-restore.service b/package/czechlight-cfg-fs/nacm-restore.service
new file mode 100644
index 0000000..96dfb7c
--- /dev/null
+++ b/package/czechlight-cfg-fs/nacm-restore.service
@@ -0,0 +1,14 @@
+[Unit]
+Description=Restore NACM rules
+After=netopeer2-install-yang.service czechlight-install-yang.service cfg.mount
+Requires=netopeer2-install-yang.service czechlight-install-yang.service cfg.mount
+Before=netopeer2-setup.service netopeer2.service sysrepo-persistent-cfg.service
+
+[Service]
+Type=oneshot
+RemainAfterExit=yes
+ExecStart=/bin/sysrepocfg -d startup -m ietf-netconf-acm -f json --import=/usr/share/yang-data/nacm.json
+ExecStart=/bin/sysrepocfg -C startup
+
+[Install]
+WantedBy=multi-user.target
diff --git a/package/czechlight-cfg-fs/nacm.json b/package/czechlight-cfg-fs/nacm.json
new file mode 100644
index 0000000..f3e5fbd
--- /dev/null
+++ b/package/czechlight-cfg-fs/nacm.json
@@ -0,0 +1,32 @@
+{
+ "ietf-netconf-acm:nacm": {
+ "rule-list": [
+ {
+ "name": "Allow DWDM control to the optics group",
+ "group": ["optics"],
+ "rule": [
+ {
+ "name": "czechlight-roadm-device",
+ "module": "czechlight-roadm-device",
+ "action": "permit"
+ },
+ {
+ "name": "czechlight-inline-amp",
+ "module": "czechlight-inline-amp",
+ "action": "permit"
+ },
+ {
+ "name": "czechlight-coherent-add-drop",
+ "module": "czechlight-coherent-add-drop",
+ "action": "permit"
+ },
+ {
+ "name": "czechlight-calibration-device",
+ "module": "czechlight-calibration-device",
+ "action": "permit"
+ }
+ ]
+ }
+ ]
+ }
+}
diff --git a/package/lldp-systemd-networkd-sysrepo/lldp-systemd-networkd-sysrepo.service b/package/lldp-systemd-networkd-sysrepo/lldp-systemd-networkd-sysrepo.service
index 69cfad0..f903427 100644
--- a/package/lldp-systemd-networkd-sysrepo/lldp-systemd-networkd-sysrepo.service
+++ b/package/lldp-systemd-networkd-sysrepo/lldp-systemd-networkd-sysrepo.service
@@ -1,7 +1,7 @@
[Unit]
Description=lldp-systemd-networkd-sysrepo is a sysrepo application announcing LLDP neighbours from systemd-networkd.
-After=syslog.target network.target czechlight-install-yang.service cfg-restore-sysrepo.service
-Requires=czechlight-install-yang.service cfg-restore-sysrepo.service
+After=syslog.target network.target czechlight-install-yang.service cfg-restore-sysrepo.service nacm-restore.service
+Requires=czechlight-install-yang.service cfg-restore-sysrepo.service nacm-restore.service
PartOf=netopeer2.service
[Service]
diff --git a/package/reset-sysrepo/reset-sysrepo.mk b/package/reset-sysrepo/reset-sysrepo.mk
index 89e653c..1fba992 100644
--- a/package/reset-sysrepo/reset-sysrepo.mk
+++ b/package/reset-sysrepo/reset-sysrepo.mk
@@ -22,6 +22,7 @@
lldp-systemd-networkd-sysrepo.service \
netopeer2.service \
sysrepo-persistent-cfg.service \
+ nacm-restore.service \
velia-system.service \
velia-hardware-g1.service \
velia-hardware-g2.service \
diff --git a/package/velia/velia-hardware-g1.service b/package/velia/velia-hardware-g1.service
index dceb28e..bef35f6 100644
--- a/package/velia/velia-hardware-g1.service
+++ b/package/velia/velia-hardware-g1.service
@@ -1,9 +1,9 @@
[Unit]
Description=Tracking hardware metrics
-After=syslog.target network.target czechlight-install-yang.service cfg-restore-sysrepo.service
+After=syslog.target network.target czechlight-install-yang.service cfg-restore-sysrepo.service nacm-restore.service
Before=rauc-mark-good.service
PartOf=netopeer2.service
-Requires=czechlight-install-yang.service cfg-restore-sysrepo.service
+Requires=czechlight-install-yang.service cfg-restore-sysrepo.service nacm-restore.service
ConditionKernelCommandLine=|czechlight=sdn-inline
ConditionKernelCommandLine=|czechlight=sdn-roadm-add-drop
ConditionKernelCommandLine=|czechlight=sdn-roadm-coherent-a-d
diff --git a/package/velia/velia-hardware-g2.service b/package/velia/velia-hardware-g2.service
index 2d71f43..f3021e4 100644
--- a/package/velia/velia-hardware-g2.service
+++ b/package/velia/velia-hardware-g2.service
@@ -1,9 +1,9 @@
[Unit]
Description=Tracking hardware metrics
-After=syslog.target network.target czechlight-install-yang.service cfg-restore-sysrepo.service
+After=syslog.target network.target czechlight-install-yang.service cfg-restore-sysrepo.service nacm-restore.service
Before=rauc-mark-good.service
PartOf=netopeer2.service
-Requires=czechlight-install-yang.service cfg-restore-sysrepo.service
+Requires=czechlight-install-yang.service cfg-restore-sysrepo.service nacm-restore.service
ConditionKernelCommandLine=|czechlight=sdn-inline-g2
ConditionKernelCommandLine=|czechlight=sdn-roadm-add-drop-g2
ConditionKernelCommandLine=|czechlight=sdn-roadm-coherent-a-d-g2
diff --git a/package/velia/velia-system.service b/package/velia/velia-system.service
index 57a9a40..cd8db60 100644
--- a/package/velia/velia-system.service
+++ b/package/velia/velia-system.service
@@ -1,9 +1,9 @@
[Unit]
Description=System management via sysrepo
-After=syslog.target network.target czechlight-install-yang.service cfg-restore-sysrepo.service
+After=syslog.target network.target czechlight-install-yang.service cfg-restore-sysrepo.service nacm-restore.service
Before=rauc-mark-good.service
PartOf=netopeer2.service
-Requires=czechlight-install-yang.service cfg-restore-sysrepo.service
+Requires=czechlight-install-yang.service cfg-restore-sysrepo.service nacm-restore.service
ConditionKernelCommandLine=czechlight
[Service]
diff --git a/submodules/velia b/submodules/velia
index 0eefdf1..1f21fae 160000
--- a/submodules/velia
+++ b/submodules/velia
@@ -1 +1 @@
-Subproject commit 0eefdf13b13ebdecc2392d21f045f3bee867c539
+Subproject commit 1f21fae9aef64630cba8939b5807c724de2886c9